Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

Kelvir.B Worm

The Kelvir.B worm (also known as the IM-Worm.Win32.Kelvir.b, W32/Kelvir.worm.c, W32/Kelvir-C, and WORM_KELVIR.B worm) is a worm that spreads through Windows Messenger and MSN Messenger and attempts to download and execute a variant of W32.Spybot.Worm.

Once executed, W32.Kelvir.B performs the following actions:

  1. Sends the following message to all the Windows and MSN Messenger contacts on the compromised computer:

    2. [Link to a Web site on the home.earthlink.net domain] lol! see it! u'll like it

    A recipient must click on the link, download the file omg.pif, and then execute the file.

  2. Once omg.pif is executed, it will attempt to download the following file and save it as as c:\dumprep.exe:

    [Link to a Web site on the home.earthlink.net domain]/me.jpg

  3. The downloaded file is a variant of W32.Spybot.Worm. Once executed it copies itself as:

    %System%\hotkeysvc.exe

    It sets the file attributes to hidden, read only, and system.

  4. Attempts to download an additional file from the domain yoursite.com.

    5. Note: At the time of writing, the file was unavailable.

  5. Adds the value:

    6. "CPQHotkeys" = "hotkeysvc.exe"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Ole
    HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_USERS\.default\Software\Microsoft\Ole
    HKEY_USERS\.default\System\CurrentControlSet\Control\Lsa

    so that it will execute when Windows starts.

  6. Adds the value:

    7. "EnableDCOM" = "N"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Ole

    to disable DCOM.

How to Recover if Your System Becomes Infected

Because of all the changes Kelvir.B makes in systems it infects, cleaning such systems is not trivial. Follow the clean-up procedures described here.

<< Kelvir Archive

<< Virus Archive
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles